mindcert cisco ipsec mindmap
TRANSCRIPT
Cisco IPsec
Motivation and Study Techniques to help you learn, remember, and pass your technical exams!
CiscoCISSPCEHMore coming soon...
Visit us www.mindcert.com
Definition
Provides security services at the IP layerA framework of servicesAdds security to the upper layers in the OSI model By Implementing a new set of headers
Utilizes Security Associations (SA)One SA is required per directionA router to router IPsec VPN will use two SA's One in each direction
Two Frame Formats
Both change the datagramAuthentication Header AH
Encapsulating Security Payload ESP
Authentication Header
AHIP Protocol 51
ProvidesOrigin authentication Does a one-way hash of the packet
DOES NOT OFFER DATA CONFIDENTIALITY Encryption
SupportsTunnel Mode
Adds a new headerAuthenticates the whole new datagram
Transport Mode Authenticates the whole existing datagram
Not compliant with NAT As NAT changes the IP HeaderThe will break AH authentication
Encapsulating Security Payload
ESPIP Protocol 50
ProvidesConfidentiality Encryption
IntegrityOrigin Authentication
Supports
Tunnel Mode
Original datagram is placed in the encrypted ESP payload
Uses encrypted ESP headersCannot detect tampering whilst deliveredAlthough payload is fully secure
Transport Mode
Keeps the existing IP header and encrypts the original payload
Only authenticates the ESP header and payloadcannot detect tampering whilst deliveredAlthough payload is fully secure
Is Compliant with NAT
Two Protection Modes
Transport Mode
Protects the payload of the original IP datagramUsed for end to end sessions
Cannot be used When NAT is required
Tunnel ModeProtects entire datagramPlaces whole datagram in a new datagramWorks with NAT
Key Exchange
In IPsec, Key Exchange is provided by the Internet Key Exchange IKE
IKE provides scalability for exchanging keys between IPsec IKE is synonymous with ISAKMP
IKE has two phases
IKE Phase One
No security is currently in placeMaster secret is exchanged to authenticate the peersIKE Phase One sets the secure channel for the data encryption key exchange which is done in IKE Phase Two IKe Phase One negotiates IKE SAs
IKE SA parameters are agreed at Phase OneHashAuthentication
Two Modes
Aggressive Mode
Eliminates several Phase One steps
Faster but less secure Three way packet exchange
Typically used in Remote Access VPNs
Main Mode
Slower but more secure Six way packet exchange
Cisco devices use main modeCan respond to peers that use aggressive mode
Uses Diffie-Hellman (DH) to create the secure channel
IKE Phase Two
IKE negotiates the IPsec SAs and generates the required key material for IPsecTransform set and all other IPsec parameters are agreed at Phase Two
One Mode Quick Mode Reinitiates to refresh the SA
Perfect Forward Secrecy
PFSIf enabled, occurs at IKE Phase TwoCarries out a new DH exchange with each Quick Mode
Configuration
Step 1IKE Phase One
Enable ISAKMPRouter(config)#crypto isakmp enable
ISAKMP is enabled by default
Step 2
Define the ISAKMP policy
Parameters that are used during ISAKMP negotiation
Encryption
3DESDES
AES128-bit
1932-bit256-bit
HashMD5SHA
Authentication
Pre-ShareHave to set a pre-shared key
Router(config)#crypto isakmp key cisco123 address 1.1.1.1Would set the key cisco123 for the peer 1.1.1.1
RSA-EncrRSA-Sig
DH Group125
SA Lifetime60-86400 Seconds
Defaults
EncryptionDES56-bit
HashSHA
AuthenticationRSA-Sig
DH Group1768-bit
SA Lifetime86400 SecondsOne Day
Step 3
Configure the ISAKMP Identity methodRouter(config)#crypto isakmp identity {address | hostname}
OptionsIP AddressHostname
DefaultIP Address
Step 4
IKE Phase Two
Define IPsec Transform Sets
Router(config)#crypto ipsec transform-set myset esp-des esp-md5-hmacThis would create a transform set called myset
using ESP and DES for Encryptionusing ESP and MD5 for Authentication
You are then in crypto transform configuration mode
Further configurationRouter(cfg-crypto-trans)#mode {transport | tunnel}
Sets the mode to either Transport or TunnelDefault is Tunnel
Step 5
Define Crypto ACLCrypto ACL is the Access Control List that specifies the traffic to be sent over the VPN
Router(config)#access-list 199 permit ip host 1.1.1.1 host 2.2.2.2Would encrypt traffic with IPsec from host 1.1.1.1 to host 2.2.2.2
Step 6
Define Crypto Maps
Router(config)#crypto map mymap 10 ipsec-isakmpConfigures a Crypto Map with a sequence number of 10The Crypto Map will use ISAKMP
Crypto Map configuration commands
descriptionDescription of the Crypto Map
dialerDialer related commands
matchMatch crypto ACL
reverse-routeCommands for reverse route injection
set
peerIdentifies the IPsec peer
transform-setIdentifies which transform set to use
pfsUse PFS or not
security-associationSet SA parametersLifetime
Crypto maps pull together various parts used to set up the IPsec SAs
Types
StaticAll entries are pre-configured
DynamicEntries are configured dynamically as the result of IPsec negotiation
Apply the Crypto Map
Crypto Maps are applied to the interface where the traffic leaves and enters a router
You must apply the crypto map both the the physical and logical interface when using GRE tunnels